Robert Nied, CISSP, CISM, CHSIII

1
Information Security Policies

• The best approach and
• the most common mistakes

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
2
Information Security Policies

• Information security is not a technical
• issue, it is an organizational issue.

An organizations security posture is defined by
its policy.
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
3
Information Security Policies

• Why do you need policies?
• What policies do you need?
• How do you develop them?
• What common mistakes should you avoid?

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
4
Why do you need
Information Security Policies?
If it is not required it will not happen-
policies guide the organization and ensure
consistency over time. It is best practice-
following generally accepted approaches is
necessary to demonstrate due diligence and
appropriate governance. If it is not documented
it does not exist- informal, de facto and verbal
policies are not defensible from audit.
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
5
What
Information Security Policies

Do you need?
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
6
Understanding the documentation hierarchy
Policies Procedures
Instructions
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
7
Information Security Policies
Policies define and articulate the organizations
commitment to protecting the confidentiality,
integrity and availability of information for
which it has stewardship.
High-Level
Non-technical
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
8
Information Security Policies

• Procedures provide guidance on the
• implementation of the goals and
• standards articulated in the
• security policy.

Detailed
Define specific controls
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
9
Information Security Policies
Instructions provide a step-by-step roadmap for
implementing technical controls in support of
security policies and procedures.
Highly technical
Highly granular
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
10
Typical Policy Language

• Acme Widget Company will
• ensure that user workstations are
• configured in a manner that is
• consistent with vendor recommendations
• and best practice standards for
• information security.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
11
Typical Procedure Language
Acme Widget workstations will be
configured with the following minimal controls
services and ports that are not specifically
required will be disabled, security settings
shall be locked, remote access software shall
not be allowed
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
12
Typical Instruction Language
Step One as Administrator, log onto the Vista
Services Optimizer. Step Two disable the
following services chargen, echo, telnet, ...
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
13
Policies

• are freely disseminated to employees,
• vendors, customers, auditors, etc.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
14
Procedures

• Are internal documents. They may contain
• proprietary information.
• They are disseminated by work group,
• as necessary.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
15
Instructions

• Are highly controlled, sensitive internal
  documents. They are disseminated to the staff on
  a need to know basis only.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
16
Developing Security Policies

• Follow Best Practice Standards. Dont reinvent
  the wheel.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
17
Developing Security Policies

• Follow Best Practice Standards
• ISO 27002 (ISO 17799), ISO 27001, NIST 800
  Series, Compliance Guidelines (HIPAA, GLBA, PCI,
  FISMA, NERC, etc.)

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
18
Developing Security Policies

• Follow Best Practice Standards
• ISO 27002 (ISO 17799), ISO 27001, NIST 800
  Series, Compliance Guidelines (HIPAA, GLBA, PCI,
  FISMA, NERC, etc.)

BUT
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
19
Developing Security Policies
Avoid templates and boiler plate policies.
Standards-based does not mean generic
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
20
Developing Security Policies
Policies must reflect the organizations
operational reality. A good policy applies best
practice standards within the unique context of
the organization.
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
21
Developing Security Policies
Do not define controls or requirements that you
cant sustain, cant fund, or cant enforce.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
22
Developing Security Policies
Define controls that are reasonable.
User passwords will be 18 characters in
length, use numbers, letters and symbols, must
be changed every 10 days and must not be written
down.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
23
Developing Security Policies

• Define controls that are reasonable.

User passwords will be 8 characters in length,
containing at least one number and one symbol.
Passwords must be changed every 30 days.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
24
Developing Security Policies
Define controls that are enforceable.
Users shall secure portable (laptop) computers
to an immovable object, using a cable lock,
whenever they are using the device at a
customers site.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
25
Developing Security Policies

• Define controls that are enforceable.

Portable computers (laptops) will be configured
to use hard disc encryption.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
26
Policy Content and Format
Follow a best practice framework. Use consistent
language, style and format.
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
27
Important Policy Sections

• Document Information - document number, issue
  date, filing instructions, superceedures, etc.
• Overall Security Policy Statement
• Regulatory Compliance
• Organizational Security - roles and
  responsibilities, personnel security, security
  training and awareness
• Security of Third Party Access

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
28
Important Policy Sections

• Outsourcing- standards for vendors, developers,
  etc.
• Asset Classification and Control- inventory,
  licenses
• Information Classification- classification
  guidelines, labeling and handling, version
  control
• Security Incident Response - CIRT Teams, forensic
  requirements
• Physical and Environmental Security - locks,
  identification tags, media safes, HVAC, fire
  suppression

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
29

• Equipment Security - power supplies, secure
  disposal and re-use, etc.
• Protection from Malicious Software and Code
• Network Management
• Removable Media Control
• Exchange of Information - email, IM, etc.
• Access Control
• User Access Management
• User Responsibilities - acceptable use, etc.
• Network Access Control
• Operating System Access Control
• Application Access Control
• Monitoring System and Network Activity
• Mobile Computing - laptops

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
30

• System Development Life-Cycle
• Cryptographic Controls
• Disaster Recovery
• Business Continuity
• Audit
• Penalties for Non-Compliance
• Policy Update and Review
• Policy Exceptions and Waivers
• Authority
• Risk Assessment
• Change Management

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
31

• Audit
• Network Management
• Remote Access/Mobile Computing
• Removable Media
• Encryption
• Workstation Configuration
• Router Configuration
• Server Configuration
• VPN Configuration
• Wireless Networks Configuration
• System by System Recovery
• Incident Response and Forensic investigation

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
32

• Common Policy and Procedure Omissions

Succession Planning (Business Continuity) Pandemic
Planning (Business Continuity) Server and
Workstation Configuration (Instructions) Applicati
on Security (SDLC) Change Control (web, routers,
firewalls) Version Control Patch Management Asset
Management Removable Media Control
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
33
Dissemination and socialization

• Policies must be clearly written, non-technical
  and easily navigable.
• Require employees to read and acknowledge where
  possible.
• Review policies annually with employees.
• Include policy compliance in RFPs and contracts.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
34
Dissemination and socialization

• Consider electronic/web-based documents.
• Navigable, searchable, more likely to be
  referenced by developers, administrators,
  vendors, etc.

Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
35
AVOID
Policy by the pound - do not expect to cover
every technical detail or every eventuality. A
disjointed series of documents - that do not
relate in format, tone or content. Language that
is not consistent across the enterprise - IT,
Security, Legal and HR must dovetail.
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09
36
?
QUESTIONS
Robert Nied Email rnied_at_niedgroup.com
Robert Nied, CISSP, CISM, CHS-III Security Policy
Webinar 9/29/09